- IT Chief says passenger passport details not stored in system
- Mentions ongoing system safety vulnerability testing done with SLCERT
- Aviation Min. not notified of any breach
Despite uncorroborated reports that a significant data breach has occurred at the Airport and Aviation Services (Sri Lanka) (Private) Limited (AASL) in the Bandaranaike International Airport in Katunayake, no such incident has been reported and neither has such a data breach affected the data or operations handled by the AASL, according to the AASL.
The AASL clarified that no issues have been identified with their current database or systems and that it is actively working with the relevant institutions to investigate any potential security threats.
The AASL’s Head of Information Technology (IT), Udaya Lokuarachchi explained that although the said reports had claimed that sensitive information such as passengers’ passport details had been compromised, the AASL does not obtain or store such details under the existing systems.
He told The Daily Morning: “We don’t obtain or retain passengers’ passport information. We are the Airport operator. The only instance we collected such information was during the Covid-19 pandemic when health declaration forms were required for the incoming passengers. There was a system for that purpose at that time (databases pertaining to which are not currently active).”
The aforesaid reports, posted on the social media platform X by Falcon Feeds (an online threat intelligence platform for cyber security professionals), claimed: “A member of BreachForums has posted about a significant data breach involving the AASL. The compromised data includes approximately 7,083 records (containing sensitive information) such as slot identities/identifications (IDs), login IDs, passenger details, and passport numbers (and national ID cards and electronic mails)”.
Describing the safety measures that have been adopted by the AASL, Lokuarachchi further explained that the AASL conducts tests to ensure the safety of its systems, including vulnerability tests conducted with the involvement of the Sri Lanka Computer Emergency Readiness Team (SLCERT).
“All our systems and databases remain unblocked,” he said. Adding that all necessary measures are being taken regularly to ensure cyber security, he said that a vulnerability test is being conducted even at present. Revealing that no data breach has been reported at the AASL during the past three-four years, Lokuarachchi stressed that the AASL takes measures to identify vulnerabilities whether it receives reports about data breaches or not.
He also added that the AASL is monitoring the situation closely and is not dismissing the reports as mere misinformation. “We will continue to monitor this matter further without disregarding the reports claiming them as 'misinformation'. However, I assure you that all AASL systems are currently functioning without any obstruction.”
Additionally, Secretary to the Ministry of Ports, Shipping, and Aviation, K.D.S. Ruwanchandra told The Daily Morning that the Ministry has not been notified about any data breach. “Thus far, the Ministry has not been informed about such a data breach,” Ruwanchandra noted.